Overbearing data protection rules threaten cloud computing

A policy debate is raging in Europe over cloud computing and those who want to bind the cloud in over-prescriptive regulation threaten to prevent the benefits of the new technology being felt, argues Thomas Boué.

Thomas Boué is director of government relations for Europe, the Middle East and Africa at the Business Software Alliance, a trade association.

A quiet battle of wills has broken out among European policymakers who are pushing competing visions for how to capitalise on the most significant wave of innovation now underway in information technology: cloud computing.

All agree that by creating a new, more efficient architecture for computing, the cloud offers vast economic benefits. It lets enterprises avoid the cost of buying and maintaining some of the IT hardware and software they need to run their operations. Instead, they can have their computing resources delivered over the internet, as infinitely scalable services. For established companies, this creates cost savings that can be reinvested in the core business. For smaller start-ups, it represents one less obstacle on the path to growth.

But while some rightly see the cloud as an opportunity to accelerate commerce and expand global trade in digital services, others harbour more protectionist urges, focused on creating a European fiefdom in the cloud at the expense of global scale.

Europe’s data protection rules lie at the heart of the cloud computing proposition. The path European policymakers take will determine the extent to which Europe’s citizens and industries can take advantage of the global economic potential of the cloud. MEP Pilar Del Castillo (Spain; European People’s Party), in her report on the Commission’s cloud strategy, “Unleashing the Potential of Cloud Computing,” rightly points out that the biggest growth opportunities for European firms are likely to reside outside the EU.

Such global growth is contingent on a policy environment in which European enterprises can leverage digital technologies to do business wherever they find a market, and customers have access to the best technologies the world has to offer.

To that end, the draft General Data Protection Regulation must strike a better balance between privacy protections – which are unquestionably essential – and enabling digital technologies. One practical improvement to the Commission’s draft text would be to recognise context and risk in the definition of personal data. Different types of data, and different uses of data, carry different levels of risk and sensitivity. A context- and risk-based approach would ensure strong privacy protections are in place for truly sensitive user data, while making it easier for SMEs and businesses of all types and sizes to reap the benefits of innovative, data-enabled technologies by allowing data to flow through the global cloud – seamlessly and efficiently.

A global survey conducted by BSA earlier this year, benchmarking year-on-year changes in cloud-related laws and regulations in 24 countries around the world, found that many of Europe’s largest IT economies are falling behind other global markets in implementing cloud-friendly policies. Of the EU countries studied in the survey:

Germany was knocked into fourth place as the US rose to third in the rankings;

France and the UK dropped one place each to sixth and seventh respectively;

Italy dropped four places to 10th in the rankings, while Spain slipped two places to 11th; and

Poland slid one place to 12th.

Other countries, on the other hand, have lifted their games. Japan, Australia and the US top the global markets, and Singapore vaulted into the top five this year from 10th in the rankings in 2012.

There are lessons to be learned from these countries - about privacy and security laws that balance user protections and innovation; about encouraging investments in cloud research and development through modern intellectual property regimes; and about removing barriers to free trade so that cloud services can operate across national borders.

Policymakers must steer away from highly prescriptive, Europe-centric rules that could ultimately sideline the EU from the global cloud market. Any short-term benefits that might come from keeping the cloud within European borders could be easily overshadowed by the opportunity costs associated with losing access to foreign markets, should those countries follow suit with protectionist barriers of their own.

The cloud is a major economic opportunity, but to capture its full benefit policymakers must navigate in the same direction. A cohesive global marketplace will offer more value than the sum of its parts.